UPDATED AUG-20-2024. If these commands are not working it's because the environment variables have changed. Please see this post: Certificate renewal showing path //keys/-server.key - #3 by TheLumberjack and then come back here after ensuring the env vars are set properly
Alright. I think I have the set of steps that will fix your server certificates. I believe you should be able to replace just the server certs. Since it's been a year, I hope the quickstart variables haven't changed too much and all these commands work.
Establish some variables and make sure they look right
First, setup some vars. It's important the dns/ip variables are full and complete are are what you expect them to be. Make sure you have set the EXTERNAL_DNS
and ZITI_EDGE_CONTROLLER_IP_OVERRIDE
if you have set them. Also make sure you have the .env file sourced (or all the referenced variables shown below set properly)
Run all these commands and at the end it'll echo the values it found. verify those values. Here's my example:
export ZITI_CTRL_IDENTITY_KEY="${ZITI_PKI_OS_SPECIFIC}/${ZITI_CONTROLLER_INTERMEDIATE_NAME}/keys/${ZITI_CONTROLLER_HOSTNAME}-server.key"
export ZITI_EDGE_CTRL_IDENTITY_KEY=export ZITI_EDGE_CTRL_IDENTITY_KEY="${ZITI_PKI_OS_SPECIFIC}/${ZITI_EDGE_CONTROLLER_INTERMEDIATE_NAME}/keys/${ZITI_EDGE_CONTROLLER_HOSTNAME}-server.key"
now="$(date '+%Y-%m-%d-%M%S')"
pki_allow_list_dns="${ZITI_CONTROLLER_HOSTNAME},localhost,${ZITI_NETWORK}"
if [[ "${ZITI_EDGE_CONTROLLER_HOSTNAME}" != "" ]]; then pki_allow_list_dns="${pki_allow_list_dns},${ZITI_EDGE_CONTROLLER_HOSTNAME}"; fi
if [[ "${EXTERNAL_DNS}" != "" ]]; then pki_allow_list_dns="${pki_allow_list_dns},${EXTERNAL_DNS}"; fi
pki_allow_list_ip="127.0.0.1"
if [[ "${ZITI_EDGE_CONTROLLER_IP_OVERRIDE}" != "" ]]; then pki_allow_list_ip="${pki_allow_list_ip},${ZITI_EDGE_CONTROLLER_IP_OVERRIDE}"; fi
echo "DNS ENTRIES : $pki_allow_list_dns"
echo "IP ENTRIES : $pki_allow_list_ip"
echo "CTRL KEY FILE: ${ZITI_CTRL_IDENTITY_KEY}"
echo "EDGE KEY FILE: ${ZITI_EDGE_CTRL_IDENTITY_KEY}"
My example output:
DNS ENTRIES : ip-172-31-47-200,localhost,ip-172-31-47-200,ec2-3-134-108-218.us-east-2.compute.amazonaws.com,ec2-3-134-108-218.us-east-2.compute.amazonaws.com
IP ENTRIES : 127.0.0.1,3.134.108.218
CTRL KEY FILE: /home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-intermediate/keys/ip-172-31-47-200-server.key
EDGE KEY FILE: /home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ec2-3-134-108-218.us-east-2.compute.amazonaws.com-intermediate/keys/ec2-3-134-108-218.us-east-2.compute.amazonaws.com-server.key
Create new server certs
Now you need to make server certs for the controller api (the overlay network) and for the edge. NOTICE I have added the "expire-limit" flag on my example. I had patched the ziti-cli and set my limit to 'minutes' to actually test this. Hopefully, I did a good and thorough job testing (I tried to).
Make the cert for the overlay components:
"${ZITI_BIN_DIR-}/ziti" pki create server \
--pki-root="${ZITI_PKI_OS_SPECIFIC}" \
--ca-name "${ZITI_CONTROLLER_INTERMEDIATE_NAME}" \
--key-file ${ZITI_CONTROLLER_HOSTNAME}-server \
--server-file "${ZITI_CONTROLLER_HOSTNAME}-server.${now}" \
--dns "${pki_allow_list_dns}" \
--ip "${pki_allow_list_ip}" \
--expire-limit 1200 \
--server-name "${ZITI_CONTROLLER_HOSTNAME} server certificate ${now}"
Make the cert for the edge:
"${ZITI_BIN_DIR-}/ziti" pki create server \
--pki-root="${ZITI_PKI_OS_SPECIFIC}" \
--ca-name "${ZITI_EDGE_CONTROLLER_INTERMEDIATE_NAME}" \
--key-file ${ZITI_EDGE_CONTROLLER_HOSTNAME}-server \
--server-file "${ZITI_EDGE_CONTROLLER_HOSTNAME}-server.${now}" \
--dns "${pki_allow_list_dns}" \
--ip "${pki_allow_list_ip}" \
--expire-limit 1200 \
--server-name "${ZITI_EDGE_CONTROLLER_HOSTNAME} server certificate ${now}"
Update the controller config file
Now find the files created using:
find $ZITI_PKI_OS_SPECIFIC -name '*'${ZITI_CONTROLLER_HOSTNAME}'*'${now}'*.chain.pem'
find $ZITI_PKI_OS_SPECIFIC -name '*'${ZITI_EDGE_CONTROLLER_HOSTNAME}'*'${now}'*.chain.pem'
The first file result returned from the commands is the cert for the overlay components. Find the identity.server_cert
section and update it with this value.
The second result is the edge cert to use. Find it in the web
section under probably the name "client-management".
Here's a video of a walkthrough of regenerating the server certs using the ziti cli: